Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Patrick M. Hausen (
Date: 10/28/02

From: "Patrick M. Hausen" <>
To: "Marcus J. Ranum" <>
Date: Mon Oct 28 08:03:19 2002

Hi all!

MJR wrote:

> Jared Valentine wrote:

> >"Throwing more security software at a security problem that is caused by the
> >essentially insecure nature of software is like going to a blind barber-it
> >can only end badly and, more likely than not, bloodily."
> Cute turn of phrase but what's he really saying?
> He's saying he doesn't know what software is. And he probably
> doesn't know what hardware is either. He appears to think that
> buggy code only exists on hard disks, and doesn't realize that
> buggy code can also get compiled down into FPGAs or strongARM
> processors or coprocessors or whatever.
> >While it is correct that all security comes down to "software" at some
> >point, I would argue that hardware is much more secure. The difference
> >between the two is that the hardware manufacturer can build off of a trusted
> >base/OS. They can look at the OS line by line and strip out everything not
> >essential for the operating of that firewall.
> Go stand in the corner with Pescatore. ;)

A point that IMHO is still missing in this discussion is the
funny impression that you just need to sit down with an empty
file in your text editor and you could go and write a mature
_and_ secure implementation of TCP/IP from scratch.
It just needs to be small, the hardware vendor is in control
of everything - do you really believe your average hardware/
appliance manufacturer is competent enough to do that?

Let me explain:

As we are proven over and over again implementing these
protocols is definitely non-trivial. And - as shown by
new funny ways of exploiting stateful inspection firewalls
(fragmentation tricks, partial ACK with carefully crafted
 buffers, ...) - the firewall _must_ have a _complete_
understanding of all protocols in question. If you ignore
application level checking of content (HTTP/HTM validation anyone?)
completely, that leaves at least all of IP, TCP, UDP in the game.

*fetching Stevens, Volume II* ...

Berkeley Net/3 is about 15,000 lines of code total.
I seriously doubt that anyone can reimplement that in
an order of magnitude less code. 15,000 lines - all
controlled by the appliance vendor, yeah.
And all programmers are as smart as Van Jacobson, ...
And they will get everything correct the first time that
took Kahn, VJ, and all the other brilliant minds years
to solve.

Just look at how long and painful the process of reimplementing
the IP stack was for the Linux crowd. 3 implementations - or
are we counting 4 already? That means at least 2 complete
make-overs to get it right.

I'd pick an application level gateway based on a general
purpose OS with a BSD based IP implementaion over something
that is called "embedded" or "appliance" or "micro-blah"
any time.

Doesn't it feel good to know, that _they_ got tcp_input() right
and you don't need to worry about partial ACKs or some such,
when writing your application level proxy?


Patrick M. Hausen
Technical Director

-- GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe